News

Ransomware attack on Arup staff payroll data

Image: Dreamstime/Lagartofilm

A ransomware attach on a third party payroll provider has seen some Arup staff’s data compromised.

Arup was informed on 11 March that the payroll firm had been hacked on 12 January. The incident has been reported to the Information Commissioner’s Office.

In a statement, Arup said: “We have been informed about a data incident impacting our payroll provider Symatrix and are working closely with them to establish the extent to which our staff have been affected. Our commitment to data security remains a priority and we are working at pace to resolve the issue.” 

Symatrix issued the following statement: “We can confirm that the Symatrix internal network was the target of a cyber attack on 12 January. Our IT experts took immediate steps to contain the incident, including shutting off our internal servers, and engaged a dedicated team of IT forensic experts to conduct a thorough investigation. We notified the Information Commissioner’s Office and the police via Action Fraud, and kept customers regularly updated on the investigation progress.

"Our investigation concluded in March and we notified a small number of Symatrix customers who were impacted in the incident to let them know what happened and the support we were offering. Our systems are restored and we are servicing our clients as normal.”

This news comes less than four months since a ransomware attack on Amey.

Data breach law firm CEL Solicitors said it has received enquiries from some Arup staff. It claimed the data compromised includes the likes of name, bank account number, bank sort code, national insurance number, date of birth and address. It also said that staff at Arup have been instructed to contact their banks and check there has been no unexpected activity, and that they have been offered free access to an identity protection service.

CEL director Mark Montaldo said: “As cyber criminals become more sophisticated in how they access data, they are able to delve deeper into sensitive information, hacking into bank account details, national insurance numbers and addresses.

“This example of Arup’s also demonstrates how [criminals] are willing to impact a global company via a third party. From recent cases, we can also quite clearly see how the perpetrators do not discriminate against industry, with no sector being 100% safe from such fraudulent activity, so it’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.”

He added: “It is vital that, if you are employed by Arup, or have been at some point since November 2018, you contact your bank and tell them about the incident.

“Be on your guard for any unexpected activity and check your bank balance and transactions regularly. The repercussions of a hack like this may not always happen straightaway, so it is extremely important to maintain a high level vigilance.”

Read the most recent advice on data breaches from CM’s sister publication BIM+.

Story for CM? Get in touch via email: [email protected]

Latest articles in News